XPost: linux.debian.devel.release
--y49c2DCyQwhEDFZo
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: release.debian.org
Severity: normal
X-Debbugs-Cc:
[email protected]
Control: affects -1 + src:qtbase-opensource-src
User:
[email protected]
Usertags: unblock
Dear Release Team,
Please unblock package qtbase-opensource-src.
It fixes the same CVE as qt6-base 6.8.2+dfsg-8, so I took the liberty to
copy some wording from qt6-base unblock bug (#1108624).
[ Reason ]
This upload backports a patch fixing CVE-2025-5455 (#1108475).
[ Impact ]
If malformed data is sent and a specific function in the Qt API (qDecodeDataUrl()) is used, it could result in a denial of service.
[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt where it's been part of the 5.15.19 release and has therefore gone through
the normal QA.
[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 5.15.19 release.
The patch in itself is rather simple, just 4 deletions and 5 insertions.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qtbase-opensource-src/5.15.15+dfsg-6
--
Dmitry Shachnev
--y49c2DCyQwhEDFZo
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment;
filename="qtbase-opensource-src_5.15.15+dfsg-6.diff" Content-Transfer-Encoding: quoted-printable
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium
+
+ * Backport upstream patch to fix assertion errors in data: URL parsing
+ (CVE-2025-5455, closes: #1108475).
+
+ -- Dmitry Shachnev <
[email protected]> Sun, 29 Jun 2025 22:50:45 +0300
+
qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium
* Backport upstream patch to add null checks in table iface methods in
--- /dev/null
+++ b/debian/patches/CVE-2025-5455.diff
@@ -0,0 +1,30 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level AP